2. Processing of personal data
2.1. Personal data obtained
(a) In connection with the use of certain app services, SOB and/or the service providers engaged by it (system, distribution and logistics partners) shall obtain the following personal data of the customer:
(i) The master data, which is to be entered during registration, shall include, as a minimum, the forenames, surnames, email address and date of birth of the customer, as well as information regarding the registered payment method. The customer can voluntarily enter more master data (such as work or home location). If fan items are ordered, additional delivery and invoice addresses must be entered.
(ii) The purchasing data provides information about which services or products the customer purchased and when.
(iii) The movement data (location tracking) allows a customer’s journey to be tracked. Movement data is only recorded if the customer gives his permission to do so.
(iv) The usage data provides information about the date and time that the app is called up, the pages visited, the IP address, device ID and type, language settings, volume of data transferred, as well as product and version information for the operating system and browser used by the customer’s end device.
(b) The inspection data shows a time and a section of the route in which a customer actually used a purchased ticket, because it was recorded in the context of an inspection. SOB has no access to the inspection data.
(c) If personal data of third parties is disclosed to SOB (e.g. when recording other passengers), the customer is responsible for ensuring that the people in question give their consent and that the details are correct.
2.2. Purpose of the data processing
(a) SOB processes the personal data of the customer for the following purposes:
(i) For the implementation of the contract, namely to issue electronic tickets and to send out any fan items ordered.
(ii) Unless the customer refuses it: for general advertising targeted at the customer in connection with the services and fan items offered in via the app.
(iii) Unless the customer refuses it: for personalized advertising targeted at the customer, namely in the form of additional offers for services that are tailored to the planned journey or location of the customer.
(b) The movement and usage data shall be further analyzed on an anonymous and aggregate basis for the ongoing optimization of the app and the services and fan items offered there.
(c) The personal data of the customer will only be passed on to third parties if and to the extent that this is necessary for the performance and optimization of the services offered, a credit assessment, concluding a contract with a third-party provider facilitated by SOB or for order and payment processing. Companies associated with SOB (group companies) do not count as third parties.
2.3. Storage of the personal data
(a) The storage period of the personal data of the customer shall be as follows:
(i) Master data: until the customer deletes their profile, but at the earliest 6 months after the last journey is concluded.
(ii) Purchasing data: at least 6 months after conclusion of the journey; if the customer accepts personalization options: until the customer deletes their profile.
(iii) Movement data: until the customer deletes their profile (subject to the customer’s agreement to the recording of their movement data).
(iv) Usage data: until the customer deletes their profile.
3. Data security
(a) SOB shall ensure appropriate data security in accordance with the provisions of the law.
(b) SOB shall secure the app in particular to a reasonable extent by means of technical and organizational measures against loss, deletion, access, alteration or dissemination of the customer’s data by unauthorized persons.
4. Right of access and rectification
(a) In accordance with statutory regulations, the customer shall be entitled to access and/or rectify their stored personal data. Requests for access or rectification must be made in writing or by email and sent along with a copy of an ID document to:
Schweizerische Südostbahn AG
9001 St. Gallen, Switzerland
5. Swipe-In - special provisions
(a) When the customer activates Swipe-In (Check-In), he agrees that his exact location will be recorded by GPS (global positioning system) and WPS (Wi-Fi positioning system) until he stops the recording by checking out at the end of the journey.
(b) The recorded data will be used for travel and pricing purposes.
(c) Data regarding the customer's movements will be kept for 6 months after the end of the trip. If the customer agrees to personalization options, his movement data will be saved until he deletes his profile.
(d) If and insofar as this Clause 9 does not contain any special provisions, the data protection provisions shall apply.